frp-是什么">frp 是什么?
frp 是一个专注于内网穿透的高性能的反向代理应用,支持 TCP、UDP、HTTP、HTTPS 等多种协议。可以将内网服务以安全、便捷的方式通过具有公网 IP 节点的中转暴露到公网
github源码:https://github.com/fatedier/frp/
官方文档:概览 | frp
oidc认证
frp一般是使用token认证,但是token过于简单,因此,决定使用oidc进行认证
OIDC 是 OpenID Connect
的简称,验证流程参考 Client Credentials Grant。
oidc搭建
本次是基于Django进行搭建
依赖文件requirement.txt如下
Django==4.1
django-cors-headers==3.13.0
django-oauth-toolkit==2.1.0
djangorestframework==3.13.1
PyJWT==2.4.0
主要使用的是 django-oauth-toolkit 模块,该模块官方文档 Welcome to Django OAuth Toolkit Documentation — Django OAuth Toolkit 2.1.0 documentation
然后根据文档进行操作
1.启动一个新的 Django 项目并"rest_framework"和"oauth2_provider"添加到您的INSTALLED_APPS设置中
INSTALLED_APPS = (
'django.contrib.admin',
...
'oauth2_provider',
'rest_framework',
)
2.现在我们需要告诉 Django REST Framework 使用新的身份验证后端。请在settings.py模块的末尾添加以下行
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'oauth2_provider.contrib.rest_framework.OAuth2Authentication',
),
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
)
}
3.创建一个简单的 API 来访问用户和组
a,创建一个oauth.py文件,内容如下
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# project : xfrp
# filename : oauth.py
# author : ly_13
# date : 2022/9/2
from django.contrib.auth.models import User, Group
from rest_framework import generics, permissions, serializers
from oauth2_provider.contrib.rest_framework import TokenHasReadWriteScope, TokenHasScope
# first we define the serializers
class UserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = ('username', 'email', "first_name", "last_name")
class GroupSerializer(serializers.ModelSerializer):
class Meta:
model = Group
fields = ("name",)
# Create the API views
class UserList(generics.ListCreateAPIView):
permission_classes = [permissions.IsAuthenticated, TokenHasReadWriteScope]
queryset = User.objects.all()
serializer_class = UserSerializer
class UserDetails(generics.RetrieveAPIView):
permission_classes = [permissions.IsAuthenticated, TokenHasReadWriteScope]
queryset = User.objects.all()
serializer_class = UserSerializer
class GroupList(generics.ListAPIView):
permission_classes = [permissions.IsAuthenticated, TokenHasScope]
required_scopes = ['groups']
queryset = Group.objects.all()
serializer_class = GroupSerializer
b.添加URL
from django.contrib import admin
from django.urls import path, include
from api.views.oauth import UserList, UserDetails, GroupList
admin.autodiscover()
urlpatterns = [
path("admin/", admin.site.urls),
path('o/', include('oauth2_provider.urls', namespace='oauth2_provider')),
path('users/', UserList.as_view()),
path('users/<pk>/', UserDetails.as_view()),
path('groups/', GroupList.as_view()),
]
4,添加oauth配置信息 到settings.py模块中
OIDC还需要jwt令牌签名算法,使用的是rs256 非对称加密,因此还需要一个rsa私钥,可以通过openssl命令生成
openssl genrsa -out oidc.key 4096
注意:此密钥的内容必须保密。不要将它放在您的设置中并将其提交给版本控制!
from oauthlib.oauth2.rfc6749.tokens import signed_token_generator
OAUTH2_PROVIDER = {
"OIDC_ENABLED": True,
"OIDC_RSA_PRIVATE_KEY": open(os.path.join(BASE_DIR, 'oidc.key'), 'r').read(),
"SCOPES": {
"openid": "OpenID Connect scope",
"read": 'Read scope',
'write': 'Write scope',
'groups': 'Access to your groups'
},
"EXTRA_SERVER_KWARGS": {
"token_generator": signed_token_generator(open(os.path.join(BASE_DIR, 'oidc.key'), 'r').read(),
**{'iss': 'http://10.66.8.100:8000/o', 'aud': 'openid'})
},
}
5,迁移数据,并创建管理员用户
python manage.py migrate
python manage.py createsuperuser
python manage.py runserver
6,访问admin,然后注册新的应用程序
http://localhost:8000/admin
然后再访问
http://localhost:8000/o/applications/
a.进行注册应用
b.配置frps服务端,编写frps.ini文件
[common]
bind_port = 8888
authentication_method = oidc
oidc_issuer = http://10.66.8.100:8000/o
oidc_audience = openid
c.配置frpc客户端,编写frpc.ini文件
[common]
server_addr = 10.66.8.100
server_port = 8888
authentication_method = oidc
oidc_client_id = Aybonk9RoG1I6YzTLKUDnPXU647rtJymig0I2PPj
oidc_client_secret = fNPvjFbZv6Q0IUwE4o2QAHAWjtdlQbgO75RjU3IbKEdythlKmUu3ZShlO8juOhsxCbE7U9gAgXQTbUMsoXt5YrshAt2CwARSz63T5OfnbhwPNl8HtsdqfG2HMFRjMaCK
oidc_audience = openid
oidc_token_endpoint_url = http://10.66.8.100:8000/o/token/
[nginx]
type = tcp
local_ip = 127.0.0.1
local_port = 80
remote_port = 29999
d.启动服务端
会发现django服务有请求如下
e.启动客户端
客户端也正常启动,没有报错
会发现django服务有请求如下
说明请求成功,客户端的端口也已经映射到服务器上面了
错误解决
1.token格式不对,compact JWS format must have three parts
2022/09/05 08:28:55 [E] [service.go:340] invalid OIDC token in login: oidc: malformed jwt: square/go-jose: compact JWS format must have three parts
2022/09/05 08:28:55 [W] [service.go:128] login to server failed: invalid OIDC token in login: oidc: malformed jwt: square/go-jose: compact JWS format must have three parts
invalid OIDC token in login: oidc: malformed jwt: square/go-jose: compact JWS format must have three parts
这个需要oidc返回jwt格式的数据,也就是 xxx.xxx.xxx 类似用电分割的加密数据
2.iss不一致,id token issued by a different provider
2022/09/05 08:30:50 [E] [service.go:340] invalid OIDC token in login: oidc: id token issued by a different provider, expected "http://127.0.0.1:8000/o" got ""
2022/09/05 08:30:50 [W] [service.go:128] login to server failed: invalid OIDC token in login: oidc: id token issued by a different provider, expected "http://127.0.0.1:8000/o" got ""
invalid OIDC token in login: oidc: id token issued by a different provider, expected "http://127.0.0.1:8000/o" got ""
这个需要在生成jwt的时候,加上iss字段
3.audience不正确,oidc: expected audience "openid"
2022/09/05 08:32:17 [E] [service.go:340] invalid OIDC token in login: oidc: expected audience "openid" got []
2022/09/05 08:32:17 [W] [service.go:128] login to server failed: invalid OIDC token in login: oidc: expected audience "openid" got []
invalid OIDC token in login: oidc: expected audience "openid" got []
这个需要在生成jwt的时候,加上openid字段,并且和配置文件保持一致
参考文档
OpenID Connect — Django OAuth Toolkit 2.1.0 documentation
文档 | frp